Organisations

Access & Correction

An organisation is required to respond to an access request in respect of personal data in its possession as well as personal data that is under its control. However, organisations are prohibited from providing an individual access to his personal data if the provision of the data could reasonably be expected to:

cause immediate or grave harm to the individual's safety or physical/mental health;

threaten the safety or physical/mental health of another individual;

reveal personal data about another individual;

reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or

be contrary to national interest.

In addition, there are cases where organisations may deny access requests. For example, organisations will not be required to provide access to personal data if it is subject to legal professional privilege, or if the disclosure of the information would reveal confidential commercial information that could harm the competitive position of the organisation. There are also exclusions for access and correction of personal data with respect to any examination conducted by an education institution, examination scripts and examination results prior to their release. Organisations may also refuse access to or refuse to correct opinion data kept solely for an evaluative purpose as defined in the PDPA. The specific exceptions may be found in section 21 and the Fifth Schedule of the PDPA.

Organisations may charge an individual a reasonable fee for access to personal data about the individual. The purpose of the fee is to allow organisations to recover the incremental costs of responding to the access request, such as the cost of producing a physical copy of the personal data requested. To allow for greater flexibility, there is no prescribed amount of fees imposed on organisations.

As organisations are required to make the necessary arrangements to provide for standard types of access requests, the costs incurred in capital purchases (for example, purchasing new equipment to provide access to the requested personal data) should not be transferred to individuals. If the organisation chooses to charge a fee for an access request, the fee should accurately reflect the time and effort required to respond to the request.

Upon request, an organisation is generally required to correct an error or omission and send the corrected personal data to every other organisation to which the personal data was disclosed to within a year before the correction, unless the other organisation does not need the corrected personal data for any legal or business purpose.

For example, the organisation may have disclosed a customer's name and address to a delivery company it engaged on a once-off basis to deliver a product that the customer purchased. Since the delivery has been completed, the organisation will not be required to send the corrected personal data to the delivery company.

An organisation need not make a correction where it is satisfied on reasonable grounds that a correction should not be made. In this case, the organisation shall annotate the personal data in its possession or under its control with the correction that is requested but not made. An organisation is also not required to alter an opinion, including a professional or expert opinion. Exceptions from correction requirement may be found in the Sixth Schedule of the PDPA.